Re: excessive SAs?

tom.brockman · ‎09-25-2006

I have site-to-site tunnel configured between my PIX515e and a Nortel Contivity 1010 (I don't manage this device).

The tunnel has been up and running for about 9 months now. It seems that after a few weeks the tunnel will stop working (i.e; users on one side can't reach a host on the other side). If I issue the SHOW IPSAKMP SA command at the PIX, it will show STATE=QM_IDLE, PENDING=0, CREATED=141 (or some other large number of created SAs). Every other site-to-site tunnel that I have will show no more than 2 or 3 SAs created. For what it is worth, there is usually very little traffic going over this tunnel (1 or 2 users on each side).

If I enter the command CLEAR CRYPTO ISAKMP SA, the SAs are dropped, the SA count reset to zero, and the tunnel starts working again.

Any ideas what the high SA count means and if/why this would prevent my tunnel from working?

Thanks in advance for any help offered.

Report Inappropriate Content · ‎09-29-2006

Check there any is mismatch with SA lifetimes in both site.

SA Lifetimes:

The Phase 1 (IKE) lifetime on a PIX firewall is 86400 (24hours). The Phase 2 (IPSec) lifetime on the PIX is 3600 seconds (1 hour).

When a tunnel is initialized an SA (Security Association) is created for each Phase (1 & 2) and the timers starts counting down. At the end of an hour the PIX will delete it's Phase 2 SA unless the tunnel is active. If the tunnel is active when the 1 hour timer expires, then a new SA will be negotiated between the PIX and the other IPSec peer.

tin.ngo · ‎12-14-2006

When the new SA is being negotiated, is the connection from a user using VPN client get drop and he has to reconnect again manually?